mvcombine

Description

Takes a group of events that are identical except for the specified field, which contains a single value, and combines those events into a single event. The specified field becomes a multivalue field that contains all of the single values from the combined events.

There are situations where the mvjoin eval function is a better option than the mvcombine command. See Usage.

Syntax

mvcombine [delim=<string>] <field>

Required arguments

field

Syntax: <field>

Description: The name of a field to merge on, generating a multivalue field.

Optional arguments

delim

Syntax: delim=<string>

Description: Defines the string to use as the delimiter for the values that get combined into the multivalue field. For example, if the values of your field are "1", "2", and "3", and delim is "; " then the combined multivalue field is "1";"2";"3".

Default: a single space, (" ")

To see the output of the delim argument, you must use the nomv command immediately after the mvcombine command. See Usage

Usage

The mvcombine command accepts a set of input results and finds groups of results where all field values are identical, except the specified field. All of these results are merged into a single result, where the specified field is now a multivalue field.

Because raw events have many fields that vary, this command is most typically useful after paring down the set of available fields with the fields command. The command is also useful for manipulating the results of certain reporting commands.

Specifying delimiters

The mvcombine command creates a multivalue version of the field you specify, as well as a single value version of the field. The multivalue version is displayed be default.

The single value version of the field is a flat string that is separated by a space or by the delimiter that you specify with the delim argument.

By default the multvalue version of the field is displayed in the results. To display the single value version with the delimiters add the |nomv command to the end of your search. For example ...| mvcombine delim= "," host | nomv host.

Some forms modes of investigating the search results prefer this single value representation, such as exporting to CSV in the UI, or running a command line search with splunk search "..." -output csv. Some commands that are not multivalue aware might use this single value as well.

Most ways of accessing the search results prefer the multivalue representation, such as viewing the results in the UI, or exporting to JSON, requesting JSON from the command line search with splunk search "..." -output json or requesting JSON or XML from the REST API. For these forms of, the selected delim has no effect.

Using mvjoin instead of mvcombine

If the field is a multivalue field and you want a single valued field with a different delimiter, use the mvjoin evaluation function. For example, a multivalue field contains the values "1","2","3","4","5". You want a single valued field with OR as the delimiter, such as "1 OR 2 OR 3 OR 4 OR 5". Use the mvjoin function and not the mvcombine command. See Multivalue Eval Functions.

Instead of three rows, one row is returned. The host field is now a multvalue field.

2. Returning the delimited values

As mentioned in the Usage section, by default the delimited version of the results are not returned in the output. To return the results with the delimiters, you must return the single value string version of the field.

Enter your email address, and someone from the documentation team will respond to you:

Send me a copy of this feedback

Please provide your comments here. Ask a question or make a suggestion.

Feedback submitted, thanks!

You must be logged into splunk.com in order to post comments.
Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic.
If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk,
consider posting a question to Splunkbase Answers.

0
out of 1000 Characters

Your Comment Has Been Posted Above

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website.
Learn more (including how to update your settings) here »